# Playbook: Run a periodic KYC review

> Re-check a client on its review date — refresh due diligence, re-screen, re-rate the risk and record the outcome — so your files stay current and inspection-ready.

_Updated 2026-07-11_

Source: /help/scenarios/periodic-kyc

**In short:** CorpSec AI tracks each client’s next-review date from its risk rating. When a review scan runs, it creates a review task and reminder for anything due or overdue. You reopen the client’s Compliance tab, re-run screening, refresh due diligence and beneficial ownership, re-rate the risk, and record the decision — which sets the next review date.

## When you meet this, and the legal basis

CDD is not a one-off at onboarding — it must be kept current for the life of the relationship. A periodic review is how you refresh it on a schedule set by the client’s risk. The basis below is from CorpSec AI’s verified citation table; this is general information, not legal advice.

- Keep CDD current: a registered CSP must complete customer due diligence before providing services and keep records for at least 5 years — the Corporate Service Providers Act 2024 (in force 9 June 2025; verified). Ongoing, risk-based review is how that stays true over time.
- Risk-driven cadence: higher-risk clients are reviewed more often. Completing a review sets the next review date from the current rating.

> **Note:** For the framework, see MAS, AML/CFT & the CSP Act. Screening runs on demo data until a provider is connected — see the honesty note in step 2.

## How reviews come due

Every client has a next-review date set from its risk rating — higher risk, shorter cycle. The Compliance tab shows a countdown per company: "Next review in N days", "Review due today" or "Review overdue by N days".

_[screenshot: The Compliance tab header with a "Review overdue by 6 days" countdown, and a periodic KYC task in the left panel.]_

> **Note:** When the review scan runs, CorpSec AI creates a periodic KYC task (marked urgent if overdue) and a reminder for each client that is due or overdue, so reviews surface as real work in your list rather than something you have to remember.

## Step 1 — Open the review

Pick up the periodic KYC task (or open the client and go to the Compliance tab). You will see the current KYC status, risk rating and score, and the review countdown.

## Step 2 — Re-screen the client

Run screening again to catch anything new — a fresh sanctions, PEP or adverse-media hit since last time. Dispose of any hits (false positive or confirm), using the AI triage to speed through likely false positives.

> **Heads up:** Remember screening runs on demo data until a provider is connected, and is badged "Demo data" when it does. Connect a provider before relying on re-screening as a genuine watchlist check.

## Step 3 — Refresh due diligence and ownership

Check whether anything material has changed: new officers, a change of ownership, updated documents. Refresh the beneficial-ownership look-through (the 25%-and-above controllers) and update any collected documents.

## Step 4 — Re-rate the risk

Re-assess the client’s risk. If it has moved, the rating updates and — importantly — so does the cadence: a higher rating shortens the time to the next review.

## Step 5 — Record the outcome

Complete the review to record who reviewed the client and when. This sets the next review date and updates the decision trail in the CDD dossier. You can Export CDD Dossier at any point for a complete, reconstructable record.

> **Tip:** Because the outcome writes to the append-only audit log and the dossier, a completed review is evidence you can show in an inspection — see Prepare for an ACRA inspection.

## Common pitfalls & edge cases

- Letting a review go overdue. The review radar surfaces due and overdue clients, but the work still has to be done. An overdue high-risk client is exactly what an inspection will look for.
- Not re-rating after a material change. A change of ownership, new officers, or an adverse-media hit can move the risk rating — and the rating drives the cadence. Refresh the rating, do not just re-run screening.
- Treating demo-data re-screening as a genuine watchlist check. Until a provider is connected, screening is demo data and badged as such. Connect a provider before relying on re-screening for a real sanctions/PEP decision.
- Beneficial ownership not re-checked. Ownership can drift between reviews (transfers, allotments). Re-run the 25%+ look-through, and update the RORC if control has moved (see the RORC playbook).
- Not recording the outcome. A review that is not completed in the system does not set the next-review date and leaves no decision trail — meaning no evidence for an inspection.
- Uniform cadence for everyone. Reviewing all clients on the same clock ignores risk. Higher-risk clients need shorter cycles; the rating should set the date.

> **Note:** A completed review writes to the append-only audit log and the CDD dossier — that is your inspection evidence. An uncompleted review leaves a gap. Not legal advice.

## Frequently asked questions

### Will CorpSec AI email me automatically when a review is due?

Reviews are surfaced as tasks and reminders when the review scan runs. They appear in your work list with an urgency; guaranteed timed emails depend on your firm’s notification setup, so treat the in-app review radar as the source of truth.

### How often does a client need reviewing?

It depends on the risk rating — higher-risk clients are reviewed more often. Completing a review sets the next date automatically based on the current rating.

### What do I hand over if asked to prove I reviewed a client?

Export the CDD dossier, which includes the review schedule and decision trail, plus the append-only audit log entries for the review.

## Related

- [KYC & compliance](/help/kyc-compliance)
- [Prepare for an ACRA inspection (playbook)](/help/scenarios/prepare-for-inspection)
- [MAS, AML/CFT & the CSP Act](/help/regulatory/mas-aml)
- [AML/CFT obligations for CSPs](/resources/csp-aml-cft-obligations)
